I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Microsoft has no patch available.

A self-described retired vulnerability researcher who goes by the handle SandboxEscaper announced the Windows 10 zero-day on Twitter on Aug. 27, complete with proof-of-concept (POC) code hosted on GitHub, but didn't notify Microsoft beforehand. The flaw is part of the Windows Task Scheduler, and it can allow an attacker to obtain system privileges.

According to the CERT Coordination Center (CERT/CC) advisory, the "Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface."

"We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems," Will Dormann, vulnerability analyst for CERT/CC, wrote in the advisory. "Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code."

Dormann also confirmed on Twitter that although the POC released by SandboxEscaper was designed to be a Windows 10 zero-day and affect 64-bit systems, the exploit would also work on 32-bit systems with "minor tweaks."

Craig Young, computer security researcher at Tripwire, based in Portland, Ore., noted that the Windows 10 zero-day would allow "the caller to manipulate file permissions of protected system files."

"This can be used to overwrite system libraries with malicious code to hijack Windows. With this published exploit code, it is trivial for malware to take complete control of the system after the malware has been loaded," Young wrote via email. "Without a privilege escalation bug like this, the malware would be dependent on users clicking through access control alerts or entering administrator credentials."

Risk vs. exploit code

Experts generally agreed the level of risk for this Task Scheduler Windows 10 zero-day wouldn't normally be too severe, because the exploit requires local access. This means an attacker would have to trick a user into downloading and running a malicious program, or they would need to have previously gained access to a system. However, experts said the release of the POC code changes the risk profile for the Windows 10 zero-day.

Allan Liska, solutions architect at Recorded Future, based in Somerville, Mass., added that this Windows 10 zero-day is another flaw in a long history of issues in the Windows Task Scheduler service.

"At this time, there is no patch for the vulnerability. One possible mitigation is to prevent untrusted -- usually guest -- users from running code. However, if an attacker gains access with user-level privilege, this mitigation will not work," Liska said in an email. "The best bet until Microsoft releases a patch is to monitor for suspicious activity from Task Scheduler, and for this specific POC, monitor for the print spooler service spawning unusual processes," he continued.

"Though bear in mind that while the POC uses the print spooler service, this vulnerability is not limited to just the print spooler. With some minor tweaking, the POC code could be used to execute other services."

Although there were no specific details, SandboxEscaper expressed frustration with Microsoft and infosec in general before releasing the Windows 10 zero-day on Twitter, but appeared regretful two days later.

I screwed up, not MSFT (they are actually a cool company). Depression sucks. Also, this bug and the use of hardlinks are ofcourse inspired by Forshaw. Anyway, I'm done with security. This is all just so dumb and stupid.

SandboxEscaper had mentioned a battle with depression and a desire to quit vulnerability research in a number of tweets leading up to releasing the POC code, and the vast majority of commenters offered messages of empathy or aid.

Microsoft did not respond to requests for comment at the time of this post.

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.